Skip to content

Policies

Policies define the security and compliance rules that govern agent behavior. AegisAI evaluates policies through an OPA-powered Rego engine with built-in templates for GDPR, HIPAA, and FZ-152.

Policy List

The Policies page shows all tenant policies with:

Column Description
Name Policy display name
Severity low, medium, high, critical
Status Active or inactive
Default Whether this is the tenant default policy
Description Human-readable summary

Use the Create Policy button to add a new policy from a template or scratch.

Policy Templates

Built-in Rego templates are available via GET /api/v1/policies/templates:

Template ID Name Framework Severity
gdpr GDPR Compliance EU General Data Protection Regulation Critical
hipaa HIPAA Compliance US Health Insurance Portability and Accountability Act Critical
fz152 FZ-152 Personal Data Russian Federal Law on Personal Data Critical
hitl Human-in-the-Loop Requires human approval for critical ops High
custom Custom Policy Template Customizable allow/deny rules Medium

GDPR Template

Enforces EU personal data protection:

  • Blocks PII access without explicit consent
  • Requires lawful basis for data processing
  • Denies cross-border transfers without adequate safeguards

HIPAA Template

Protects Protected Health Information (PHI):

  • Blocks PHI export or external transmission
  • Requires authorization for PHI access
  • Enforces minimum necessary access principle

FZ-152 Template

Enforces Russian personal data rules:

  • Requires data localization within approved jurisdictions
  • Controls cross-border data transfer
  • Mandates consent for personal data processing

Compliance disclaimer

Built-in templates provide a starting point. Consult legal counsel to ensure policies meet your organization's regulatory obligations.

Creating a Policy

  1. Click Create Policy
  2. Select a template (or start blank)
  3. Configure:
  4. Name — e.g., "GDPR Compliance — Production"
  5. Description — purpose and scope
  6. Severity — impact level if violated
  7. Rules — JSON rule definitions (from template or custom)
  8. Active — enable immediately
  9. Default — apply as tenant default
  10. Click Save

Policy Check

Test whether an action is allowed before executing it:

curl -X POST http://localhost:8000/api/v1/policies/check \
  -H "X-API-Key: <your-api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "<uuid>",
    "action": "read_data",
    "resource": "customer_pii",
    "context": {
      "consent": true,
      "lawful_basis": "consent",
      "purpose": "customer_support"
    }
  }'

Response fields:

Field Type Description
allowed boolean Whether the action is permitted
reason string Human-readable decision reason
severity string high, critical, or null
required_approval boolean Whether HITL approval is needed
risk_score float 0.0–1.0 composite risk score
risk object Risk level breakdown
anomaly object Anomaly detection result

Denied actions

When allowed is false, a policy.violated WebSocket event is published. If an anomaly is detected, it is automatically reported.

Editing and Deleting

Action Endpoint Permission
List GET /api/v1/policies policies:read
Get GET /api/v1/policies/{id} policies:read
Create POST /api/v1/policies policies:create
Update PUT /api/v1/policies/{id} policies:update
Delete DELETE /api/v1/policies/{id} policies:delete

OPA Integration

At startup, AegisAI loads all .rego files from policies/templates/ into OPA. The main.rego module aggregates decisions from all sub-modules.

If OPA is unavailable, the platform falls back to an in-process Python policy engine with equivalent GDPR, HIPAA, and FZ-152 logic.

Check OPA health:

curl http://localhost:8181/health
  • HITL — approval workflow for blocked actions
  • Anomalies — behavioral anomaly detection
  • API Reference — full policy endpoints